How the UAE ITC data law impacts businesses
Many industry sectors will be surprised to hear that the UAE has a well-developed legal framework for the protection of individual data subjects in respect of their health data and information. Despite this, health data is often misused in the UAE, and in some cases, industries may not understand the importance of protecting their healthcare data, and the implications from not doing so.
Healthcare data is sensitive personal data, belonging to the individual exclusively, and should be protected at all costs by the controllers and processors of that information. This is a fundamental legal right of data subjects.
Many jurisdictions protect health data and information through complex legal frameworks, providing protection to data subjects, with appointments of dedicated data protection agencies like the Information Commissioner in the UK.
UAE Federal Law No. (2) of 2019 - Using IT and Telecommunications in the Healthcare Sector commonly referred to as ITC law, protects all healthcare related information and data in the UAE, when processed through electronically. This law is applicable to all businesses processing and controlling healthcare data of any individual resident in the UAE. ITC law, for all intents and purposes, is the first Federal data privacy law of its kind in the UAE, albeit limited to healthcare data.
Businesses involved with healthcare data should be aware that they have strict obligations to process the healthcare data in accordance with THE law and to keep the healthcare data secure, and not disclose to third parties without the individual’s consent. They should keep accurate, and updated records of the healthcare data and only process it for lawful purposes. In many cases, healthcare data should not be transferred outside the UAE (there are some limited exceptions), as this is illegal and will incur violations with serious penalties for those businesses that transfer healthcare data out.
ITC law has had, to a large extent, been a wakeup call for the UAE healthcare industry to regulate their operations with data protection at the forefront of their businesses, which historically was not the case before the implementation of the ITC Law. Many healthcare industry players have now appointed data protection officers and have put in place strict data protection policies providing better consumer protection to data subjects.
The ITC Law has also, for the first time in the UAE, created a central data sharing system, where healthcare data is populated. This will benefit the UAE healthcare markets in terms of providing quality and accurate data to avoid potential fraud and better risk allocation of health insurance for the market. So, in the long term, it will benefit healthcare consumers of medical services. Historically, health data was never shared between organisations, as this was seen as a competitive advantage to the receiver of the information. This resulted in repetition of healthcare records and unnecessary costs.
The ITC Law is wide in its application and applies to pharma companies, healthcare providers/facilities, medical insurance providers, insurance intermediaries dealing and placing medical insurance, third party medical claims administrators, technology companies in the healthcare space, and others dealing with healthcare date/information through technology platforms i.e., analytics of healthcare data/information. It will also apply to many businesses in the UAE that keep records of sick leave for their employees.
There are other laws related to health data protection, which include Dubai Healthcare City’s DHCC Health Data Protection Regulation No. 7 of 2013 and Dubai International Financial Centre Law No. 5 of 2020. These laws have been implemented for some time and relate to free zone businesses but were probably the catalyst for the ITC Law.
Given the uptake of ever-increasing cyber breaches, and the mandated medical insurance requirements, for Dubai and Abu Dhabi residents which is seeing an increase in health data processing and retention, the implementation of the ITC Law and its impact is now more important than ever. Businesses must strictly adhere to ITC Law, otherwise they will find that noncompliance will result in other risks, such as cyber breaches resulting in penal and regulatory violations.
The UAE now has a strong and robust legal framework to protect healthcare data/information and data subjects. With ICT Law in place, the UAE markets have taken one step in the right direction for the protection of individual healthcare data and those consumers of medical services. UAE Businesses should take steps to put in place appropriate measures, to reduce any legal and regulatory actions against them.
In other words, act now, or pay the consequences.
About the author
Simon Isgar is a Partner and Head of Insurance at BSA Ahmad Bin Hezeem & Associates’ Dubai office. A specialist in international health regulation and health insurance law as well as general corporate law, Simon advises insurance companies and intermediaries on placement of risks and products in foreign markets including underwriting agents and brokers.